On Thu, Jun 11, 2020 at 04:22:37PM +0000, Jeremy Banks wrote:
> At my job, we use Postfix as our email setup. Recently, as part of a
> security audit by one of our customers, we were told that our mail
> relays must accept only TLSv1.2 when doing TLS, and not any prior
> versions.
Tell your customer politely, but firmly, that you are not at liberty to
enforce TLS 1.2 inbound, as that would downgrade the security of
connections from clients that can only do TLS 1.0. However, since
you do support TLS 1.2, they are more than welcome to configure
their outbound systems to use at least TLS 1.2.
Don't play green check-box bingo. Actual is about pragmatic choices not
maximising checklist scores.
--
Viktor.
